More Web Proxy on the site http://driver.im/

research-article

Smart keys for cyber-cars: secure smartphone-based NFC-enabled car immobilizer

Authors:

Christoph Busold,

Christian Wachsmann,

Alexandra Dmitrienko,

Hervé Seudié,

Ahmad-Reza SadeghiAuthors Info & Claims

CODASPY '13: Proceedings of the third ACM conference on Data and application security and privacy

Pages 233 - 242

https://doi.org/10.1145/2435349.2435382

Published: 18 February 2013 Publication History

Abstract

Smartphones have become very popular and versatile devices. An emerging trend is the integration of smartphones into automotive systems and applications, particularly access control systems to unlock cars (doors and immobilizers). Smartphone-based automotive solutions promise to greatly enhance the user's experience by providing advanced features far beyond the conventional dedicated tokens/transponders.

We present the first open security framework for secure smartphone-based immobilizers. Our generic security architecture protects the electronic access tokens on the smartphone and provides advanced features such as context-aware access policies, remote issuing and revocation of access rights and their delegation to other users. We discuss various approaches to instantiate our security architecture based on different hardware-based trusted execution environments, and elaborate on their security properties. We implemented our immobilizer system based on the latest Android-based smartphone and a microSD smartcard. Further, we support the algorithmic proofs of the security of the underlying protocols with automated formal verification tools.

References

[1]

MIFARE4Mobile.org. http://mifare4mobile.org/files/1213/3283/4766/12-03--20_NFC_Ticketing_Europe_2012.pdf, 2012.

[2]

Near Field Communication Forum. http://www.nfc-forum.org/home/.

[3]

M. Abadi and C. Fournet. Mobile values, new names, and secure communication. In 28th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'01). ACM, 2001.

Digital Library

[4]

T. Alves and D. Felton. TrustZone: Integrated hardware and software security. Information Quaterly, 3(4), 2004.

[5]

Arduino. http://www.arduino.cc/.

[6]

A. Armando, D. Basin, Y. Boichut, Y. Chevalier, L. Compagna, J. Cuellar, P. Hankes Drielsma, P.-C. Heám, J. Mantovani, S. Mödersheim, D. von Oheimb, M. Rusinowitch, J. Santiago, M. Turuani, L. Viganò, and L. Vigneron. The AVISPA tool for the automated validation of internet security protocols and applications. In 17th International Conference on Computer Aided Verification (CAV'05). Springer, 2005.

Digital Library

[7]

Atmel. Car access. http://www.atmel.com/applications/automotive/car_access/default.aspx.

[8]

ATMEL. Automotive Compilation Volume 7 December 2010. http://www.atmel.com/Images/atmel_autocompilation_vol7_dec2010.pdf, 2010.

[9]

Atmel. Open source immobilizer protocol stack. http://www.atmel.com/dyn/products/tools_card.asp?tool_id=17197, 2010. registration required.

[10]

AVR cryptographic library. Set of cryptographic primitives for Atmel AVR microcontrollers. https://www.das-labor.org/wiki/AVR-Crypto-Lib.

[11]

J. Azema and G. Fayad. M-Shield mobile security technology: Making wireless secure. Texas Instruments white paper, 2008. http://focus.ti.com/pdfs/wtbu/ti_mshield_whitepaper.pdf.

[12]

L. Bauer, L. Cranor, R. W. Reeder, M. K. Reiter, and K. Vaniea. Comparing access-control technologies: A study of keys and smartphones. Technical report, 2007.

[13]

L. Bauer, L. F. Cranor, M. K. Reiter, and K. Vaniea. Lessons learned from the deployment of a smartphone-based access-control system. In 3rd symposium on Usable privacy and security (SOUPS'07). ACM, 2007.

Digital Library

[14]

L. Bauer, S. Garriss, J. M. McCune, M. K. Reiter, J. Rouse, and P. Rutenbar. Device-enabled authorization in the Grey system. In 8th International Conference on Information Security (ISC'05). Springer-Verlag, 2005.

Digital Library

[15]

B. Blanchet. An efficient cryptographic protocol verifier based on Prolog rules. In 14th IEEE Computer Security Foundations Workshop (CSFW'01). IEEE Computer Society, 2001.

Digital Library

[16]

B. Blanchet. From secrecy to authenticity in security protocols. In 9th International Static Analysis Symposium (SAS'02). Springer Verlag, 2002.

Digital Library

[17]

C. Cremers. Scyther - Semantics and Verification of Security Protocols. Ph.D. dissertation, Eindhoven University of Technology, 2006.

[18]

C. Cremers. Unbounded verification, falsification, and characterization of security protocols by pattern refinement. In 15th ACM conference on Computer and communications security (CCS'08). ACM, 2008.

Digital Library

[19]

C. Cremers, P. Lafourcade, and P. Nadeau. Comparing state spaces in automatic protocol analysis. In Formal to Practical Security. Springer Berlin Heidelberg, 2009.

Digital Library

[20]

CyanogenMod. http://www.cyanogenmod.com/.

[21]

N. Dalal, J. Shah, K. Hisaria, and D. Jinwala. A comparative analysis of tools for verification of security protocols. IJCNS, 3(10):779--787, 2010.

[22]

A. Dmitrienko, A.-R. Sadeghi, S. Tamrakar, and C. Wachsmann. SmartTokens: Delegable access control with NFC-enabled smartphones. In 5th International Conference on Trust & Trustworthy Computing (TRUST'12), 2012.

Digital Library

[23]

D. Dolev and A. Yao. On the security of public key protocols. IEEE Transactions on Information Theory, 29(2):198--207, 1983.

Digital Library

[24]

A. Francillon, B. Danev, and S.vCapkun. Relay attacks on passive keyless entry and start systems in modern cars. In Network and Distributed System Security Symposium (NDSS), 2011.

[25]

L. Francis, G. Hancke, K. Mayes, and K. Markantonakis. Practical NFC peer-to-peer relay attack using mobile phones. In 6th International Conference on Radio Frequency Identification: Security and Privacy Issues (RFIDSec'10). Springer-Verlag, 2010.

Digital Library

[26]

Google. http://www.google.com/wallet/.

[27]

Google Wallet. http://www.google.com/wallet/, 2012.

[28]

E. Haselsteiner and K. Breitfuß. Security in Near Field Communication (NFC). Strengths and weaknesses. In Workshop on RFID Security, 2006.

[29]

J. Heyszl and F. Stumpf. Asymmetric cryptography in automotive access and immobilizer systems. 9th Embedded Security in Cars Conference, 2011.

[30]

S. Indesteege, N. Keller, O. Dunkelman, E. Biham, and B. Preneel. A practical attack on KeeLoq. In 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT'08). Springer-Verlag, 2008.

Digital Library

[31]

International Organization for Standardization. International Standard ISO/IEC 14443--4. Identification cards -- Contactless integrated circuit cards -- Proximity cards.

[32]

M. Kasper, T. Kasper, A. Moradi, and C. Paar. Breaking KeeLoq in a flash: On extracting keys at lightning speed. In 2nd International Conference on Cryptology in Africa (AFRICACRYPT'09). Springer, 2009.

Digital Library

[33]

K. Kostiainen, J.-E. Ekberg, N. Asokan, and A. Rantala. On-board credentials with open provisioning. In 4th ACM Symposium on Information, Computer, and Communications Security (ASIACCS'09). ACM, 2009.

Digital Library

[34]

K. Lemke, A.-R. Sadeghi, and C. Stüble. An open approach for designing secure electronic immobilizers. In Information Security Practice and Experience (ISPEC'05), 2005.

Digital Library

[35]

P. Lepek. Configurable, secure, open immobilizer implementation. In Embedded Security in Cars, 2010.

[36]

R. Naatanen, O. Syssoeva, and R. Takegata. Automatic time perception in the human brain for intervals ranging from milliseconds to seconds. Psychophysiology, 41(4):660--663, 2004.

[37]

NFC Shield. Near Field Communication interface for Arduino. http://www.seeedstudio.com/wiki/NFC_Shield.

[38]

NFC World. Orange and Valeo demonstrate NFC car key concept, 2010. http://www.nfcworld.com/2010/10/07/34592/orange-and-valeo-demonstrate-nfc-car-key-concept/.

[39]

NXP. Car access and immobilizers. http://www.nxp.com/products/automotive/car_access_immobilizers/.

[40]

NXP. NXP and Continental demonstrate the world's first concept car embedding NFC at Mobile World Congress, 2011. http://www.nxp.com/news/press-releases/2011/02/nxp-and-continental-demonstrate-the-world-s-first-concept-car-embedding-nfc-at-mobile-world-congress.html.

[41]

PN532 Near Field Communication (NFC) controller. NXP Semiconductors. http://www.nxp.com/products/identification_and_security/reader_ics/nfc_devices/series/PN532.html.

[42]

Scientific American. Hack My Ride: Cyber Attack Risk on Car Computers, 2011. http://www.scientificamerican.com/article.cfm?id=hack-my-ride.

[43]

Secure Element Evaluation Kit for the Android platform. http://code.google.com/p/seek-for-android/.

[44]

G. . D. S. F. Solutions. The Mobile Security Card SE 1.0 offers increased security. http://www.gd-sfs.com/the-mobile-security-card/mobile-security-card-se-1-0/.

[45]

S. Tamrakar, J.-E. Ekberg, and N. Asokan. Identity verification schemes for public transport ticketing with NFC phones. In ACM workshop on Scalable Trusted Computing (STC'11). ACM, 2011.

Digital Library

[46]

Telcred. secure offline access control with NFC. http://www.telcred.com/, 2012.

[47]

Telecom. Deutsche Telekom and automotive supplier Continental demonstrated car keys, 2011. http://www.telekom.com/innovation/connectedcar/81840.

[48]

S. Tillich and M. Wójcik. Security analysis of an open car immobilizer protocol stack. 10th International Conference on Applied Cryptograpy and Network Security (ACNS'12), 2012.

[49]

Tyfone. Tyfone to license SideTap MicroSD NFC and Secure Element Card technologies to AboMem, 2011. http://tyfone.com/newsroom/?p=541.

[50]

R. Verdult, F. Garcia, and J. Balasch. Gone in 360 seconds: Hijacking with Hitag2. In 21st USENIX Security Symposium, 2012.

Digital Library

[51]

ZDNet. Android malware numbers explode to 25,000 in June 2012. http://www.zdnet.com/android-malware-numbers-explode-to-25000-in-june-2012--7000001046/, 2012.

Cited By

Hinga SImoize AAjani TAtayero A(2024)A Bird’s Eye View of Near Field Communication Technology: Applications, Global Adoption, and Impact in AfricaSN Computer Science10.1007/s42979-024-02618-65:3Online publication date: 24-Feb-2024
https://doi.org/10.1007/s42979-024-02618-6
Berdich AGroza BMayrhofer RLevy EShabtai AElovici Y(2023)Sweep-to-Unlock: Fingerprinting Smartphones Based on Loudspeaker Roll-Off CharacteristicsIEEE Transactions on Mobile Computing10.1109/TMC.2021.311998722:4(2417-2434)Online publication date: 1-Apr-2023
https://doi.org/10.1109/TMC.2021.3119987
Papathanasaki MMaglaras LAyres N(2022)Modern Authentication Methods: A Comprehensive SurveyAI, Computer Science and Robotics Technology10.5772/acrt.082022(1-24)Online publication date: 1-Jun-2022
https://doi.org/10.5772/acrt.08
Show More Cited By

Index Terms

Smart keys for cyber-cars: secure smartphone-based NFC-enabled car immobilizer
1. Security and privacy
  1. Security services
    1. Access control
    2. Authentication
  2. Systems security
    1. Operating systems security

Recommendations

PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies

Role-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...
DW-RBAC: A formal security model of delegation and revocation in workflow systems

One reason workflow systems have been criticized as being inflexible is that they lack support for delegation. This paper shows how delegation can be introduced in a workflow system by extending the role-based access control (RBAC) model. The current ...
A rule-based framework for role-based delegation and revocation

Delegation is the process whereby an active entity in a distributed environment authorizes another entity to access resources. In today's distributed systems, a user often needs to act on another user's behalf with some subset of his/her rights. Most ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '13: Proceedings of the third ACM conference on Data and application security and privacy

February 2013

400 pages

ISBN:9781450318907

DOI:10.1145/2435349

General Chairs:
Elisa Bertino
Purdue University, USA
,
Ravi Sandhu
University of Texas at San Antonio, USA
,
Program Chair:
Lujo Bauer
Carnegie Mellon University, USA
,
Publications Chair:
Jaehong Park
University of Texas at San Antonio, USA

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 February 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CODASPY'13

Sponsor:

SIGSAC

CODASPY'13: Third ACM Conference on Data and Application Security and Privacy

February 18 - 20, 2013

Texas, San Antonio, USA

Acceptance Rates

CODASPY '13 Paper Acceptance Rate 24 of 107 submissions, 22%;

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

34
Total Citations
View Citations
990
Total Downloads

Downloads (Last 12 months)30
Downloads (Last 6 weeks)2

Reflects downloads up to 12 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Hinga SImoize AAjani TAtayero A(2024)A Bird’s Eye View of Near Field Communication Technology: Applications, Global Adoption, and Impact in AfricaSN Computer Science10.1007/s42979-024-02618-65:3Online publication date: 24-Feb-2024
https://doi.org/10.1007/s42979-024-02618-6
Berdich AGroza BMayrhofer RLevy EShabtai AElovici Y(2023)Sweep-to-Unlock: Fingerprinting Smartphones Based on Loudspeaker Roll-Off CharacteristicsIEEE Transactions on Mobile Computing10.1109/TMC.2021.311998722:4(2417-2434)Online publication date: 1-Apr-2023
https://doi.org/10.1109/TMC.2021.3119987
Papathanasaki MMaglaras LAyres N(2022)Modern Authentication Methods: A Comprehensive SurveyAI, Computer Science and Robotics Technology10.5772/acrt.082022(1-24)Online publication date: 1-Jun-2022
https://doi.org/10.5772/acrt.08
Kulik TDongol BLarsen PMacedo HSchneider STran-Jørgensen PWoodcock J(2022)A Survey of Practical Formal Methods for SecurityFormal Aspects of Computing10.1145/352258234:1(1-39)Online publication date: 5-Jul-2022
https://dl.acm.org/doi/10.1145/3522582
Symeonidis IRotaru DMustafa MMennink BPreneel BPapadimitratos P(2022)HERMES: Scalable, Secure, and Privacy-Enhancing Vehicular Sharing-Access SystemIEEE Internet of Things Journal10.1109/JIOT.2021.30949309:1(129-151)Online publication date: 1-Jan-2022
https://doi.org/10.1109/JIOT.2021.3094930
Tripathy SAggarwal MChakraborty SGai KRaymond Choo K(2021)Beyond Uber and Lyft: A Decentralized Cab Consortium over BlockchainsProceedings of the 3rd ACM International Symposium on Blockchain and Secure Critical Infrastructure10.1145/3457337.3457847(97-102)Online publication date: 24-May-2021
https://dl.acm.org/doi/10.1145/3457337.3457847
Plappert CJäger LFuchs ACao JHo Au MLin ZYung M(2021)Secure Role and Rights Management for Automotive Access and Feature ActivationProceedings of the 2021 ACM Asia Conference on Computer and Communications Security10.1145/3433210.3437521(227-241)Online publication date: 24-May-2021
https://dl.acm.org/doi/10.1145/3433210.3437521
Pollicino FFerretti LStabili DMarchetti M(2021)Accountable and privacy-aware flexible car sharing and rental services2021 IEEE 20th International Symposium on Network Computing and Applications (NCA)10.1109/NCA53618.2021.9685942(1-7)Online publication date: 23-Nov-2021
https://doi.org/10.1109/NCA53618.2021.9685942
Kim MLee JPark KPark YPark KPark Y(2021)Design of Secure Decentralized Car-Sharing System Using BlockchainIEEE Access10.1109/ACCESS.2021.30714999(54796-54810)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2021.3071499
Wang XYan L(2021)Fused computational approach used in transportation industry for congestion monitoringSoft Computing - A Fusion of Foundations, Methodologies and Applications10.1007/s00500-021-05888-x25:18(12203-12211)Online publication date: 1-Sep-2021
https://dl.acm.org/doi/10.1007/s00500-021-05888-x
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents